Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Deployment fails "site: Access Denied" #6

Open
JanIHC opened this issue Jul 7, 2020 · 14 comments
Open

Deployment fails "site: Access Denied" #6

JanIHC opened this issue Jul 7, 2020 · 14 comments

Comments

@JanIHC
Copy link

JanIHC commented Jul 7, 2020

Any idea why I'm getting a "site: Access Denied" error during the deployment to our environment?

PS C:\Repositories\fullstack-app> serverless deploy

serverless ⚡framework
Action: "deploy" - Stage: "dev" - Org: "janasmuth" - App: "fullstack" - Name: "fullstack-app"

database: 
  name:    database-dev
  arn:     arn:aws:dynamodb:ap-southeast-2:155608619720:table/database-dev
  region:  ap-southeast-2
  indexes: 
    gsi1: 
      name: gsi1
      arn:  arn:aws:dynamodb:ap-southeast-2:155608619720:table/database-dev/index/gsi1

site: Access Denied

permissions: 
  name: permissions-dev
api: 
  url: https://mmvbkodzkf.execute-api.us-east-1.amazonaws.com
  api: 
    openapi: 3.0.3
    paths: 
      /users/register: (max depth reached)
      /test/:          (max depth reached)
      /users/login:    (max depth reached)
      /user:           (max depth reached)
    info: 
      version: 0.0.1

21s » Serverless » Errors: "deploy" ran for 3 apps successfully. 1 failed.

PS C:\Repositories\fullstack-app>
PS C:\Repositories\fullstack-app> serverless deploy

serverless ⚡framework
Action: "deploy" - Stage: "dev" - Org: "abc" - App: "fullstack" - Name: "fullstack-app"

database: 
  name:    database-dev
  arn:     arn:aws:dynamodb:ap-southeast-2:12345:table/database-dev
  region:  ap-southeast-2
  indexes: 
    gsi1: 
      name: gsi1
      arn:  arn:aws:dynamodb:ap-southeast-2:12345:table/database-dev/index/gsi1

site: Access Denied

permissions: 
  name: permissions-dev
  arn:  arn:aws:iam::12345:role/permissions-dev

api: 
  url: https://abcd.execute-api.ap-southeast-2.amazonaws.com
  api: 
    openapi: 3.0.3
    paths: 
      /users/register: (max depth reached)
      /test/:          (max depth reached)
      /users/login:    (max depth reached)
      /user:           (max depth reached)
    info: 
      version: 0.0.1

24s » Serverless » Errors: "deploy" ran for 3 apps successfully. 1 failed.
@eahefnawy
Copy link
Member

Hmmm that's odd 🤔 ... Does your AWS credentials have admin access? Could you try deploying the website independently by running the following command:

cd site
sls deploy

@juampick
Copy link

juampick commented Jul 7, 2020

I am having the same type of issues. When deploying first time or directly from root seems that is working ok.
But inside site is throwing permission denied issues.

@JanIHC
Copy link
Author

JanIHC commented Jul 7, 2020

@eahefnawy Same result if I deploy from the site folder and the AWS credentials have admin access.

PS C:\Repositories\fullstack-app\site> serverless deploy

serverless ⚡framework
Action: "deploy" - Stage: "dev" - Org: "fdsfd" - App: "fullstack" - Name: "site"

30s » Serverless » Error: Access Denied

@eahefnawy
Copy link
Member

Org: "janasmuth"

Org: "abc"

Org: "fdsfd"

Strange, why do you have a different org everytime? 🤔

@JanIHC Could you let me know your org name and your username in the Serverless Dashboard? I'll try to look this up in our internal logs.

@JanIHC
Copy link
Author

JanIHC commented Jul 8, 2020
edited

@eahefnawy my org name on serverless.com is janasmuth please ignore the other ones.

Could it be an issue that I'm trying to deploy to 'ap-southeast-2'?

@JanIHC
Copy link
Author

JanIHC commented Jul 10, 2020
edited

I ran serverless info --debug but still not sure what's wrong.

Will serverless components try to activate Public access on the bucket? We have deactivated public access on account level.

PS C:\Repositories\fullstack-app\site> serverless info --debug
Fetching App Info...

serverless ⚡framework
Action: "info" - Stage: "dev" - Org: "janasmuth" - App: "fullstack" - Name: "site"
Last Action:  deploy (a few seconds ago)
Deployments:  16
Status:       error
AccessDenied: Access Denied
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:816:35)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:685:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
State:
region:     ap-southeast-2
bucketName: website-k0w9hna
bucketUrl:  http://website-k0w9hna.s3-website-ap-southeast-2.amazonaws.com
Outputs:
Serverless » Success

Full details: https://app.serverless.com/janasmuth/apps/fullstack/site/dev
Serverless » App info fetched

@JanIHC
Copy link
Author

JanIHC commented Jul 16, 2020

@eahefnawy do you have any other ideas what could be the issue or what I could try?

@tapegram
Copy link

tapegram commented Oct 7, 2020

Wanted to bump this as I'm seeing the same issue! Are there some aws permissions I am missing? My cli user has the AdministratorAccess policy so I'm not sure what is left to try adding.

@tapegram
Copy link

tapegram commented Oct 7, 2020

I was able to find a workaround for this by giving the site’s serverless.yml a bucketName with a . in it, since this forces it to skip acceleration. It appears this is happening because of the acceleration step, but I do not know how to fix that.

@rehrumesh
Copy link

Have the same issue

@kevin4dhd
Copy link

any solution?

@kevin4dhd
Copy link

I found the solution, I had to send an email since I did not have cloudfront activated and wait 2 days for it to be activated, I tried again and everything works correctly

@mattreddy3
Copy link

Hi all, one thing that got me past this point was adding S3, all permissions (hard to tell which one was needed from the error message). The other IAM errors were well-communicated but this was opaque. Hope it helps!

@nicmeriano
Copy link

nicmeriano commented Mar 21, 2021
edited

I'm having the same issue but only for one of my two environments (Dev & Prod). Whenever I try to deploy to Prod, the site component fails with an Access denied error, while everything works fine for Dev. These are associated with separate AWS accounts and I linked each stage in the Serverless console with a dedicated provider pointing to the associated account. I then deploy with sls deoploy --stage prod --aws-profile prod and while I see all the resources being created in the right account (API, permissions, Dynamo table), S3 fails.

If I try to change the S3 bucket name (following @tapegram 's advice) within serverless.yml I get the following error:

site: Changing the bucket name from site-prod to site.prod will remove your infrastructure.  Please remove it manually, change the bucket name, then re-deploy.

Both IAM users have admin access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@tapegram @rehrumesh @eahefnawy @juampick @mattreddy3 @kevin4dhd @nicmeriano @JanIHC